Posted
by
timothy
on Sunday July 04, 2010 @06:09PM
from the shouldn't-be-an-app-for-that dept.

An anonymous reader writes "Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen. What's more concerning is that it seems individuals' iTunes accounts have been hacked to make mass purchases of that one developer's apps." Among the comments attached to the linked story is one which suggests the security problem may lie elsewhere.

Perhaps this is just another reason why I don't use iTunes. If I like an artist I download, I'll buy their CD - if not, I delete it. And makes it much easier to convert a CD to ogg or flacs than with a lot of their Apple's AAC crap.

Jobs doesn't care as long as he can by another yacht. Someone will mod this troll because they are an apple fanboy. But the truth is he is as unscrupulous as Balmer, Larry Ellison, and a world of corporations and lawyers. Apple, just like the rest, will only do as little as they need to as long as they have a bunch of sheep willing to buy whatever he trots out on stage next.

More details here though so far there's no explanation of how the accounts are getting hacked.

It's not hard to guess: Average people use the same password for just about everything, or simple permutations of the same password. Get access to any source that the user entered a password for, gain access to everything else.

It's kind of like blaming Blizzard for people's WoW accounts getting hacked. Your account has something someone wants, they'll try to get it. If you use weak passwords, well, no one's fault but your own there.

Yep. Email for you: "Secure your iTunes account now...All iTunes customers are encouraged to log on to their account and change their passwords now. CLICK HERE TO GO TO THE SECURE WEBSITE. Enter your personal info and we will make sure you are protected...blah blah"

I hate to think that 20 years from now we will still have people all around the world falling victim to phishing. Everyday I get princes and princesses from all around the world that need my help in transferring millions of dollars to the US. Every time I delete the email, I think, "lots of people are falling for this today and losing their money....sad!"

Except Blizzard has a track record of account restoration and decent customer service in this area.

In reality, most of the time it's neither party's fault -- The recent Adobe Flash exploit hurt a lot of people as they targeted flash advertisements for wow websites... even legitimate websites could be infected as they have to show advertisements to stay in business.

Thankfully, Blizzard realizes that blaming end-users when a large, large percentage did not 'ask' for it, only costs the company money in the end when users stop using their service.

Other problem with iTunes,
"All sales are final."....
From Terms and conditions, security section:
"You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

I fail to see what relevance Apple (much less Steve Jobs personally) has here. This is about hacked user accounts. This kind of thing is an unfortunate fact of life, keeping in mind that social engineering attacks take up the majority in security breaches. There's only so much Apple can do to mitigate this, and I don't see that they missed anything.

Heck, if anything, Apple's "walled garden" model - for all my dislike of it - is most efficient at dealing with these kinds of abuses. When malware authors have to go to the effort of hacking user accounts to get their crap shoved at users, you know they're tight against the wall already. In comparison, with Android, you just call yourself "Googe" (note spelling) and upload your malware directly [androlib.com].

(How do I know it's malware? I haven't installed it, of course - but when all their apps, including a non-multiplayer five-in-a-row game, request "full network connectivity" and "location information" permissions on install, you know something's fishy; the fake company name is just icing on the cake.)

The irony is that I can't even use Market feature to report it as malware, or at least write a 1-star review with a warning, because you can only write reviews/complaints once you install the app...

After reading the article, the other linked article, and the comments posted on the linked site, I have to ask what's more likely here: that approximately 30 people out of 100+ millions of iTunes users have infected systems with key-loggers and were phished, or that the App Store has some huge security problem?